The origin of Data Protection Impact Assessments

The use of an assessment methodology to personal understand privacy risks and rights has been known since the mid-1990s [1]. The growing interest in what were then called Privacy Impact Assessments (PIA) was triggered by the exponential growth of data storage and analysis plus the public reaction to the inevitable leaks and scandals. Today DPIAs are considered to be one of the key tools to address the lack of public trust in data processing.

In a way, DPIAs are an experiment in public policy.  Like their distant cousins the environmental impact assessment, they are a form of regulation that pushes responsibility onto the actors proposing the change. In this model it is not for the state to legislate for or against a particular change. Instead it is for the actor who wants to make a change to prove that it not harmful. Broadly speaking DPIAs aim at ensuring that novel data processing doesn’t lead to costs being borne by the community.

DPIAs can be traced back to concepts that emerged and grew in Australia, Canada, Ireland, New Zealand and the United Kingdom from about the mid-1990s.


The (now called) Office of the Australian Information Commissioner (OAIC) first published an Privacy Impact Assessment Guide [2] in August 2006


The Treasury Board of Canada Secretariat (TBS), issued a Directive on Privacy Impact Assessment [3] in April 2010.


The Health Information and Quality Authority produced a PIA Guidance [4] in December 2010

New Zealand

The Office of the Privacy Commissioner (OPC) issued guidance [5] in 1999, building on the requirement for Information Matching Privacy Impact Assessments (IMPIAs) in the Privacy Act 1993

United Kingdom

The Information Commissioner’s Office (ICO) published a PIA handbook [6] in 2007


The International Conference of Privacy and Data Protection Commissioners in November 2009 adopted the Madrid Resolution [7] calling for Privacy Impact assessments.


The Article 29 working party 29 endorsed [8] the first pan European DPIA with the European Union’s (EU) Radio-Frequency Identification (RFID) PIA framework in February 2011.


Europe has chosen to legislate for Data Protection and not Privacy so when the General Data Protection Regulation, was drafted in 2012 what was to become Art 35, explicitly provides for a DPIA.

The text of the GDPR enforced across Europe states:

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

These 64 words, together with a few recitals comprise the entirety of the DPIA specification in law. It is clear that many professionals will spend decades deciphering their true meaning.


But what is clear already is that mandatory impact assessments differ from traditional prescriptive legal regulation. Roughly speaking the predecessor in EU law to DPIAs was “Prior Notification” where a data controller would inform the regulator in advance and the regulator could intervene to stop the processing based on a combination of rules and policies prescribed by the regulator. DPIAs are different as the data controllers must devise and impose policies upon themselves having consulted with stakeholders.

Finally, a DPIA should be much more than a snapshot in time, but should rather be seen as a process. This means it needs to reviewed throughout the whole life cycle of the data processing operation and be continuously updated and managed.









Leave a Reply